I have gone through the documentation on jboss.com and set up a basic proxy. Client requests are proxied over an ssl connection, but the connection to the cluster over port 6666 is unencrypted. I'm testing with the admin-console web app.

I've set the bindaddress on the 8443 connector to the host name of the server (which matches the common name on the certificate), however, according to the apache cluster manager, the name of the node is the ip address. This causes apache to throw up warnings about mismatches between the certificate CN and the server name. Is there a way to force the node to connect to the proxy using the hostname instead of the ip address?

I'm also experiencing intermitted 502 (Bad Gateway) problems. There is nothing logged on the app server side when these errors start happening, and on the apache side, the only thing logged is the 502 error:

I have the binding address for https connector set to the host name of the server. The host name matches the common name on the ssl certificate. The problem is that when jboss connects to the apache proxy, it's still using the IP address for the node name. This causes apache to throw up warnings because the common name on the ssl certificate doesn't match the ip address. I'd like to force the jboss and apache to use the host name instead of the ip address.

I think we've figured out the intermittent 502 errors. It seems iptables was configured to drop ack/fin packets from jboss. This would cause apache to attempt to reuse ssl sessions that where closed by jboss, which would cause iptables to reject connections from apache, which would cause apache to report bad gateways. We're continuing to test, but it's been working fine for a while now.

I'm not following... I'm not trying to do client side cert authentication. The issue I'm having, is jboss is configured to run https on port 8443. The server certificate for the jboss instance was issued for the host name as the CN. When this jboss node is added to the proxy on the apache httpd instance, the node is identified by the ip address. Whe apache establishes an https connection back to jboss on 8443, it throws up a warning because it's connecting using the ip address while the CN on the certificate jboss is presenting is the host name. I'm trying to figure out how to force the jboss node to be identified by the host name instead of the ip address in apache. Hope that made sense.

Looks like the 502s are back... iptables is off. It seems like it happens most often after a few hours of idle time (first time testing in the morning), but I'm also seeing it right after apache restarts...

I'd like apache to connect to jboss using the hostname. The certificate configured in jboss uses the hostname for the CN. The bind address on the connector for port 8443 specifies the hostname (that matches the CN). However, when the jboss node is added to the apache proxy, apache uses the ip address to connect back to jboss on port 8443. This causes a mismatch between ip and the CN. I'd like to force apache to use the hostname when proxying the requests.

>Well SSLProxyCheckPeerCN

I mistakenly assumed the cn check was off by default (seeing as how it works sometimes). I've turned it off now and will continue to monitor for 502 errors.

>Is it a permant or a interminant error?

It's not permanent. It seems to happen more often after an extended period of not being used (first time in the morning).